English
Russian
Japanese
LatAm
Türkiye
Brasil
France
Český
Deutschland
P2P-Worm.Win32.Scranor
| Class | P2P-Worm |
| Platform | Win32 |
| Description |
Technical DetailsThis worm spreads via the Kazaa and iMesh file-sharing networks, and also via IRC. The worm itself is a Windows PE EXE file, approximately 12KB in size. InstallationOnce launched, the worm creates a folder called “Sys32i” in the Program Files directory, and copies itself to this file as “Scran.exe”. This file is registered in the system registry as a key to enable autorun: [HKLMSoftwareMicrosoftWindowsCurrentVersionRun] W32.Scran = %ProgramDir%sys32iScran.exe This ensures that the worm will be launched each time the system is rebooted. The worm creates several more copies of itself under the following names: Age of Empires crack.exe Age of Empires.exe CD Key.exe Counter Strike 6.exe Counter Strike.exe Grand Theft Auto 3 CD2 ISO.exe Half-Life.exe Hotmail account cracker.exe Hotmail Hack.exe KeyGen.exe Microsoft Office.exe Norton Anti Virus 2004.exe Norton Anti Virus 2005.exe Norton Anti Virus Crack.exe Norton Firewall.exe Norton Internet Security 2004.exe Partition Magic 8.exe Playstation 2.exe Resident Evil.exe Scran.cpl Tomb Raider.exe Trojan Remover.exe Windows XP Home.exe Yahoo Hack.exe ZoneAlarm Firewall Pro.exe This folder will be shown in the system registry as Local Content for Kazaa and iMesh: [HKCUSoftwareKazaaLocalContent] [HKCUSoftwareKazaaTransfer] "dir0" = "012345:%ProgramDir%sys32i" [HKCUSoftwareiMeshClientLocalContent] "dir0" = "012345:%ProgramDir%sys32i" These files will then be accessible to other users of the P2P networks. The worm creates an identifier “W32.Scran-Worm” to flag its presence in the system. Propagation via IRCThe worm searches the victim machine for an IRC client. If it detects one, it will change the contents of the “script.ini” file so that the worm will be passed to all users who enter IRC channels used by the infected machine. OtherThe worm will download a file named “botnet.jpg” from http://www.freewebs.com. This file will be saved in the C: root directory as “botnet.exe”. This file contains the latest version of Backdoor.Win32.Rbot.gen. On the 1st January, the worm will cause a dialogue box containing the following text to be displayed on the screen: Ha? Happy New Year W32.Scran!! |
| Find out the statistics of the threats spreading in your region |